def test_missing_kid_in_jws_header(self):
jws = json.loads(jwts.make_jws({"a": 1}, self.keypairs[:1]))
header = json.loads(utils.to_string(utils.base64url_decode(jws["signatures"][0]["protected"])))
del header["kid"]
jws["signatures"][0]["protected"] = utils.to_string(utils.base64url_encode(json.dumps(header)))
with self.assertRaises(exceptions.InvalidFormatError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_encrypt_bytes(self):
data = ['string', b'bytes']
for text in data:
logger.debug('enc/dec %s', text)
enc = self.project_credentials.encrypt(text)
cleartext = utils.to_string(self.project_credentials.decrypt(enc['ct'], enc['iv']))
cleartext.should.equal(utils.to_string(text))
def test_invalid_alg_in_jws_header(self):
jws = json.loads(jwts.make_jws({"a": 1}, self.keypairs[:1]))
header = json.loads(utils.to_string(utils.base64url_decode(jws["signatures"][0]["protected"])))
header["alg"] = "bog"
jws["signatures"][0]["protected"] = utils.to_string(utils.base64url_encode(json.dumps(header)))
with self.assertRaises(exceptions.InvalidAlgorithmError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_encrypt_bytes(self):
data = ['string', b'bytes']
for text in data:
logger.debug('enc/dec %s', text)
enc = self.project_credentials.encrypt(text)
cleartext = utils.to_string(self.project_credentials.decrypt(enc))
self.assertEqual(cleartext, utils.to_string(text))
def test_missing_kid_in_jws_header(self):
jws = json.loads(jwts.make_jws({'a': 1}, self.keypairs[:1]))
header = json.loads(utils.to_string(
utils.base64url_decode(jws['signatures'][0]['protected'])
))
del header['kid']
jws['signatures'][0]['protected'] = utils.to_string(
utils.base64url_encode(json.dumps(header))
)
(jwts.verify_jws.when.called_with(json.dumps(jws), self.keypairs[:1])
.should.throw(exceptions.InvalidFormatError))
def test_missing_kid_in_jws_header(self):
jws = json.loads(jwts.make_jws({'a': 1}, self.keypairs[:1]))
header = json.loads(
utils.to_string(
utils.base64url_decode(jws['signatures'][0]['protected'])))
del header['kid']
jws['signatures'][0]['protected'] = utils.to_string(
utils.base64url_encode(json.dumps(header)))
with self.assertRaises(exceptions.InvalidFormatError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_invalid_alg_in_jws_header(self):
jws = json.loads(jwts.make_jws({'a': 1}, self.keypairs[:1]))
header = json.loads(
utils.to_string(
utils.base64url_decode(jws['signatures'][0]['protected'])))
header['alg'] = 'bog'
jws['signatures'][0]['protected'] = utils.to_string(
utils.base64url_encode(json.dumps(header)))
with self.assertRaises(exceptions.InvalidAlgorithmError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_invalid_alg_in_jws_header(self):
jws = json.loads(jwts.make_jws({'a': 1}, self.keypairs[:1]))
header = json.loads(utils.to_string(
utils.base64url_decode(jws['signatures'][0]['protected'])
))
header['alg'] = 'bog'
jws['signatures'][0]['protected'] = utils.to_string(
utils.base64url_encode(json.dumps(header))
)
with self.assertRaises(exceptions.InvalidAlgorithmError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_missing_typ_in_jws_header(self):
jws = json.loads(jwts.make_jws({'a': 1}, self.keypairs[:1]))
header = json.loads(utils.to_string(
utils.base64url_decode(jws['signatures'][0]['protected'])
))
del header['typ']
jws['signatures'][0]['protected'] = utils.to_string(
utils.base64url_encode(json.dumps(header))
)
with self.assertRaises(exceptions.InvalidFormatError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_protected_header_overrides(self):
jwe_json = json.loads(self.jwe)
jwe_json['protected'] = utils.to_string(
utils.base64url_encode(
json.dumps({
"apu":
utils.to_string(utils.base64url_encode('bogus')),
})))
jwe = json.dumps(jwe_json)
with self.assertRaises(exceptions.DecryptionFailed):
jwes.decrypt_jwe(jwe, self.recipient_keypairs[0])
def test_decrypt_only_legacy(self):
enc = service.encrypt_attr_value(self.data, self.key, True)
del enc['header']
del enc['ciphertext']
del enc['tag']
decrypted = utils.to_string(service.decrypt_attr_value(enc, self.key))
self.assertEqual(decrypted, self.data)
def test_string_encryption(self):
key = service.create_aes_key()
data = 'Hello, Im Data'
edata = service.encrypt_attr_value(data, key)
self.assertEqual(
utils.to_string(service.decrypt_attr_value(edata, key)),
data
)
def test_encrypt(self):
enc = self.project_credentials.encrypt(self.data)
enc.should.have.key('cipher').with_value.equal('aes')
enc.should.have.key('mode').with_value.equal('gcm')
enc.should.have.key('ts').with_value.equal(128)
cleartext = utils.to_string(self.project_credentials.decrypt(enc['ct'], enc['iv']))
cleartext.should.equal(self.data)
def test_content_encryption_failure(self):
jwe_json = json.loads(self.jwe)
jwe_json['ciphertext'] = utils.to_string(
utils.base64url_encode('bogus'))
jwe = json.dumps(jwe_json)
with self.assertRaises(exceptions.DecryptionFailed):
jwes.decrypt_jwe(jwe, self.recipient_keypairs[0])
def _check_write_file(self, binary):
filename = None
with tempfile.NamedTemporaryFile(delete=True) as tf:
key = tf.name[1:]
filename = 's3://{}/{}'.format(self.bucket_name, key)
self.assertIsNotNone(filename)
s3_handler.write_file(filename, self.data, binary)
obj = self.bucket.Object(key)
data = obj.get()['Body'].read()
if binary:
self.assertEqual(data, self.data)
else:
self.assertEqual(utils.to_string(data), utils.to_string(self.data))
obj.delete()
def _check_write_file(self, binary):
filename = None
with tempfile.NamedTemporaryFile(delete=True) as tf:
key = tf.name[1:]
filename = 's3://{}/{}'.format(self.bucket_name, key)
self.assertIsNotNone(filename)
s3_handler.write_file(filename, self.data, binary)
obj = self.bucket.Object(key)
data = obj.get()['Body'].read()
if binary:
self.assertEqual(data, self.data)
else:
self.assertEqual(utils.to_string(data), utils.to_string(self.data))
obj.delete()
def test_encrypt(self):
enc = self.project_credentials.encrypt(self.data)
self.assertIn("cipher", enc)
self.assertIn("mode", enc)
self.assertIn("ts", enc)
self.assertEqual(enc.get("cipher"), "aes")
self.assertEqual(enc.get("mode"), "gcm")
self.assertEqual(enc.get("ts"), 128)
cleartext = utils.to_string(self.project_credentials.decrypt(enc))
self.assertEqual(cleartext, self.data)
def test_encrypt(self):
enc = self.project_credentials.encrypt(self.data)
self.assertIn("cipher", enc)
self.assertIn("mode", enc)
self.assertIn("ts", enc)
self.assertEqual(enc.get("cipher"), "aes")
self.assertEqual(enc.get("mode"), "gcm")
self.assertEqual(enc.get("ts"), 128)
cleartext = utils.to_string(
self.project_credentials.decrypt(enc['ct'], enc['iv'])
)
self.assertEqual(cleartext, self.data)
def _handle_auth_endpoint(headers=None, data=None):
logger.debug('data=%s', data)
try:
jwt_header, jwt_claims, jwt_sig = data.split('.')
except ValueError:
jws = json.loads(data)
jwt_claims = jws['payload']
sigs = jws['signatures']
if len(sigs) != 1:
raise AttributeError
jwt_header = sigs[0]['protected']
jwt_sig = sigs[0]['signature']
except:
return MockResponse('Bad Request', 400)
try:
key = keychain.Keypair.from_secret_pem(
key_bytes=TestSession.id_key_bytes,
)
key.identity = 'id'
oneid_key = keychain.Keypair.from_secret_pem(
key_bytes=TestSession.oneid_key_bytes,
)
oneid_key.identity = 'oneID'
payload = '{}.{}'.format(jwt_header, jwt_claims)
key.verify(payload, jwt_sig)
logger.debug('claims=%s', jwt_claims)
json_claims = utils.to_string(utils.base64url_decode(jwt_claims))
jws = jwts.make_jws(json.loads(json_claims), [key, oneid_key])
logger.debug('jws=%s', jws)
return MockResponse(jws, 200)
except InvalidSignature:
logger.debug('invalid signature', exc_info=True)
return MockResponse('Forbidden', 403)
return MockResponse('Internal Server Error', 500)
def test_decrypt_dict(self):
enc = self.project_credentials.encrypt(self.data)
cleartext = utils.to_string(self.project_credentials.decrypt(enc))
cleartext.should.equal(self.data)
def test_to_string(self):
self.assertEqual(self.str_thing, utils.to_string(self.str_thing))
self.assertEqual(self.str_thing, utils.to_string(self.bytes_thing))
def test_decrypt_dict(self):
enc = self.project_credentials.encrypt(self.data)
cleartext = utils.to_string(self.project_credentials.decrypt(enc))
self.assertEqual(cleartext, self.data)
def test_decrypt(self):
enc = service.encrypt_attr_value(self.data, self.key)
utils.to_string(service.decrypt_attr_value(enc, self.key)).should.equal(self.data)
def test_decrypt_without_legacy_follow_standard_encoding(self):
enc = service.encrypt_attr_value(self.data, self.key, False)
enc['iv'] = base64.b64encode(utils.base64url_decode(enc['iv']))
decrypted = utils.to_string(service.decrypt_attr_value(enc, self.key))
self.assertEqual(decrypted, self.data)
def test_decrypt(self):
enc = service.encrypt_attr_value(self.data, self.key)
decrypted = utils.to_string(service.decrypt_attr_value(enc, self.key))
self.assertEqual(decrypted, self.data)
def test_decrypt_without_legacy(self):
enc = service.encrypt_attr_value(self.data, self.key, False)
decrypted = utils.to_string(service.decrypt_attr_value(enc, self.key))
self.assertEqual(decrypted, self.data)
def test_string_encryption(self):
key = service.create_aes_key()
data = 'Hello, Im Data'
edata = service.encrypt_attr_value(data, key)
self.assertEqual(
utils.to_string(service.decrypt_attr_value(edata, key)), data)
def test_to_string(self):
self.assertEqual(self.str_thing, utils.to_string(self.str_thing))
self.assertEqual(self.str_thing, utils.to_string(self.bytes_thing))
def test_decrypt(self):
enc = service.encrypt_attr_value(self.data, self.key)
decrypted = utils.to_string(service.decrypt_attr_value(enc, self.key))
self.assertEqual(decrypted, self.data)
def test_decrypt_dict(self):
enc = self.project_credentials.encrypt(self.data)
cleartext = utils.to_string(self.project_credentials.decrypt(enc))
self.assertEqual(cleartext, self.data)